From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 11 Feb 2021 11:20:59 +0000 (+0100)
Subject: nts: allow multiple files with trusted certificates
X-Git-Tag: 4.1-pre1~56
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=316d47e3b40c28c9d6e38fe18900b7828f497649;p=thirdparty%2Fchrony.git

nts: allow multiple files with trusted certificates

Allow the ntstrustedcerts directive to be specified multiple times.
---

diff --git a/conf.c b/conf.c
index 4c62a075..3ae02540 100644
--- a/conf.c
+++ b/conf.c
@@ -77,6 +77,7 @@ static void parse_mailonchange(char *);
 static void parse_makestep(char *);
 static void parse_maxchange(char *);
 static void parse_ntsserver(char *, ARR_Instance files);
+static void parse_ntstrustedcerts(char *);
 static void parse_ratelimit(char *line, int *enabled, int *interval,
                             int *burst, int *leak);
 static void parse_refclock(char *);
@@ -260,7 +261,7 @@ static int nts_server_processes = 1;
 static int nts_server_connections = 100;
 static int nts_refresh = 2419200; /* 4 weeks */
 static int nts_rotate = 604800; /* 1 week */
-static char *nts_trusted_cert_file = NULL;
+static ARR_Instance nts_trusted_certs_files; /* array of (char *) */
 
 /* Number of clock updates needed to enable certificate time checks */
 static int no_cert_time_check = 0;
@@ -391,6 +392,7 @@ CNF_Initialise(int r, int client_only)
 
   nts_server_cert_files = ARR_CreateInstance(sizeof (char *));
   nts_server_key_files = ARR_CreateInstance(sizeof (char *));
+  nts_trusted_certs_files = ARR_CreateInstance(sizeof (char *));
 
   rtc_device = Strdup(DEFAULT_RTC_DEVICE);
   hwclock_file = Strdup(DEFAULT_HWCLOCK_FILE);
@@ -434,6 +436,8 @@ CNF_Finalise(void)
     Free(*(char **)ARR_GetElement(nts_server_cert_files, i));
   for (i = 0; i < ARR_GetSize(nts_server_key_files); i++)
     Free(*(char **)ARR_GetElement(nts_server_key_files, i));
+  for (i = 0; i < ARR_GetSize(nts_trusted_certs_files); i++)
+    Free(*(char **)ARR_GetElement(nts_trusted_certs_files, i));
 
   ARR_DestroyInstance(init_sources);
   ARR_DestroyInstance(ntp_sources);
@@ -447,6 +451,7 @@ CNF_Finalise(void)
 
   ARR_DestroyInstance(nts_server_cert_files);
   ARR_DestroyInstance(nts_server_key_files);
+  ARR_DestroyInstance(nts_trusted_certs_files);
 
   Free(drift_file);
   Free(dumpdir);
@@ -468,7 +473,6 @@ CNF_Finalise(void)
   Free(tempcomp_point_file);
   Free(nts_dump_dir);
   Free(nts_ntp_server);
-  Free(nts_trusted_cert_file);
 }
 
 /* ================================================== */
@@ -652,8 +656,6 @@ CNF_ParseLine(const char *filename, int number, char *line)
   } else if (!strcasecmp(command, "ntsratelimit")) {
     parse_ratelimit(p, &nts_ratelimit_enabled, &nts_ratelimit_interval,
                     &nts_ratelimit_burst, &nts_ratelimit_leak);
-  } else if (!strcasecmp(command, "ntstrustedcerts")) {
-    parse_string(p, &nts_trusted_cert_file);
   } else if (!strcasecmp(command, "ntscachedir") ||
              !strcasecmp(command, "ntsdumpdir")) {
     parse_string(p, &nts_dump_dir);
@@ -671,6 +673,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
     parse_ntsserver(p, nts_server_cert_files);
   } else if (!strcasecmp(command, "ntsserverkey")) {
     parse_ntsserver(p, nts_server_key_files);
+  } else if (!strcasecmp(command, "ntstrustedcerts")) {
+    parse_ntstrustedcerts(p);
   } else if (!strcasecmp(command, "peer")) {
     parse_source(p, command, 1);
   } else if (!strcasecmp(command, "pidfile")) {
@@ -1178,6 +1182,17 @@ parse_ntsserver(char *line, ARR_Instance files)
 
 /* ================================================== */
 
+static void
+parse_ntstrustedcerts(char *line)
+{
+  char *file = NULL;
+
+  parse_string(line, &file);
+  ARR_AppendElement(nts_trusted_certs_files, &file);
+}
+
+/* ================================================== */
+
 static void
 parse_allow_deny(char *line, ARR_Instance restrictions, int allow)
 {
@@ -2589,10 +2604,12 @@ CNF_GetNtsRotate(void)
 
 /* ================================================== */
 
-char *
-CNF_GetNtsTrustedCertFile(void)
+int
+CNF_GetNtsTrustedCertsFiles(const char ***files)
 {
-  return nts_trusted_cert_file;
+  *files = ARR_GetElements(nts_trusted_certs_files);
+
+  return ARR_GetSize(nts_trusted_certs_files);
 }
 
 /* ================================================== */
diff --git a/conf.h b/conf.h
index cf5fc3ba..025ca607 100644
--- a/conf.h
+++ b/conf.h
@@ -159,7 +159,7 @@ extern int CNF_GetNtsServerProcesses(void);
 extern int CNF_GetNtsServerConnections(void);
 extern int CNF_GetNtsRefresh(void);
 extern int CNF_GetNtsRotate(void);
-extern char *CNF_GetNtsTrustedCertFile(void);
+extern int CNF_GetNtsTrustedCertsFiles(const char ***files);
 extern int CNF_GetNoSystemCert(void);
 extern int CNF_GetNoCertTimeCheck(void);
 
diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index d9da7b40..a1de8148 100644
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -755,6 +755,9 @@ This directive specifies a file containing certificates (in the PEM format) of
 trusted certificate authorities (CA) that should be used to verify certificates
 of NTS servers in addition to the system's default trusted CAs (if the
 *nosystemcert* directive is not present).
++
+This directive can be used multiple times to specify multiple files with
+trusted certificates.
 
 [[nosystemcert]]*nosystemcert*::
 This directive disables the system's default trusted CAs.
diff --git a/nts_ke_client.c b/nts_ke_client.c
index 5e87fe44..59a9730a 100644
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -268,7 +268,9 @@ handle_message(void *arg)
 NKC_Instance
 NKC_CreateInstance(IPSockAddr *address, const char *name)
 {
+  const char **trusted_certs;
   NKC_Instance inst;
+  int n_certs;
 
   inst = MallocNew(struct NKC_Instance_Record);
 
@@ -279,9 +281,11 @@ NKC_CreateInstance(IPSockAddr *address, const char *name)
   inst->destroying = 0;
   inst->got_response = 0;
 
+  n_certs = CNF_GetNtsTrustedCertsFiles(&trusted_certs);
+
   /* Share the credentials with other client instances */
   if (!client_credentials)
-    client_credentials = NKSN_CreateClientCertCredentials(CNF_GetNtsTrustedCertFile());
+    client_credentials = NKSN_CreateClientCertCredentials(trusted_certs, n_certs);
   client_credentials_refs++;
 
   return inst;
diff --git a/nts_ke_session.c b/nts_ke_session.c
index d92b4c24..131ad90e 100644
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -643,7 +643,7 @@ deinit_gnutls(void)
 
 static NKSN_Credentials
 create_credentials(const char **certs, const char **keys, int n_certs_keys,
-                   const char *trusted_certs)
+                   const char **trusted_certs, int n_trusted_certs)
 {
   gnutls_certificate_credentials_t credentials = NULL;
   int i, r;
@@ -674,10 +674,12 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys,
     }
 
     if (trusted_certs) {
-      r = gnutls_certificate_set_x509_trust_file(credentials, trusted_certs,
-                                                 GNUTLS_X509_FMT_PEM);
-      if (r < 0)
-        goto error;
+      for (i = 0; i < n_trusted_certs; i++) {
+        r = gnutls_certificate_set_x509_trust_file(credentials, trusted_certs[i],
+                                                   GNUTLS_X509_FMT_PEM);
+        if (r < 0)
+          goto error;
+      }
     }
   }
 
@@ -698,15 +700,15 @@ error:
 NKSN_Credentials
 NKSN_CreateServerCertCredentials(const char **certs, const char **keys, int n_certs_keys)
 {
-  return create_credentials(certs, keys, n_certs_keys, NULL);
+  return create_credentials(certs, keys, n_certs_keys, NULL, 0);
 }
 
 /* ================================================== */
 
 NKSN_Credentials
-NKSN_CreateClientCertCredentials(const char *trusted_certs)
+NKSN_CreateClientCertCredentials(const char **trusted_certs, int n_certs)
 {
-  return create_credentials(NULL, NULL, 0, trusted_certs);
+  return create_credentials(NULL, NULL, 0, trusted_certs, n_certs);
 }
 
 /* ================================================== */
diff --git a/nts_ke_session.h b/nts_ke_session.h
index ed9c711f..eb19b920 100644
--- a/nts_ke_session.h
+++ b/nts_ke_session.h
@@ -43,7 +43,8 @@ typedef int (*NKSN_MessageHandler)(void *arg);
    different clients or servers. */
 extern NKSN_Credentials NKSN_CreateServerCertCredentials(const char **certs, const char **keys,
                                                          int n_certs_keys);
-extern NKSN_Credentials NKSN_CreateClientCertCredentials(const char *trusted_certs);
+extern NKSN_Credentials NKSN_CreateClientCertCredentials(const char **trusted_certs,
+                                                         int n_certs);
 
 /* Destroy the credentials */
 extern void NKSN_DestroyCertCredentials(NKSN_Credentials credentials);
diff --git a/test/unit/nts_ke_session.c b/test/unit/nts_ke_session.c
index b29675b9..1dd9aba7 100644
--- a/test/unit/nts_ke_session.c
+++ b/test/unit/nts_ke_session.c
@@ -179,7 +179,7 @@ test_unit(void)
     client = NKSN_CreateInstance(0, "test", handle_response, NULL);
 
     server_cred = NKSN_CreateServerCertCredentials(&cert, &key, 1);
-    client_cred = NKSN_CreateClientCertCredentials(cert);
+    client_cred = NKSN_CreateClientCertCredentials(&cert, 1);
 
     TEST_CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds) == 0);
     TEST_CHECK(fcntl(sock_fds[0], F_SETFL, O_NONBLOCK) == 0);